2016 HIPAA Audits Part 2: Into the Breach

by Donna Koger, 11.2.15

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires HIPAA Covered Entities (CEs) and their Business Associates (BAs) to provide notification following a breach of unsecured Protected Health Information (PHI). Similar breach notification provisions apply to vendors of personal health records and their third party service providers.

What is a HIPAA breach?

A breach is an unauthorized use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. The Department of Health & Human Services (HHS) lists three exceptions to the definition of “breach:”

1. The first exception is the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.

2. The second exception is the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

3. The third exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

How do you know if there has been a breach?

According to HHS, an unauthorized use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is low probability the protected health information was compromised based on a risk assessment of the following:

1. The nature and extent of the PHI involved, including the types of PHI identifiers

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed

4. The extent to which the risk to the PHI has been mitigated

What should you do if there is a breach?

According to HHS, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers, pursuant to the HITECH Act.

HHS lists Breach Notification Requirements as: Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the HHS Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

More Information

Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.

Kudos from Clients

Seth H.

“PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

~ Seth H., Business Owner

Karen B.

“Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

~ Karen B., Therapist

Dr. Carmen L.

“I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

~ Dr. Carmen L., Program Director

Kim T.

“We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”